How can secrets be supplied to middlewares for separate docker-compose stacks?

the-bort-the · December 29, 2024, 3:42pm

I currently have traefik:v3.2.3 running, deployed as a docker container, along with the homepage app. They are not in the same stack, however they are sharing the same network. What I'm curious about is creating separate basic auth for them. Currently when I declare secrets for each of them in their own respective docker-compose.yml files, the traefik dashboard reports the homepage middleware doesn't exist. However, if I place that Homepage secret within the Traefik container /var/run/secrets directory. I'm looking to keep secrets separate, but reference-able from middlewares.

error from the dashboard:
open /run/secrets/HOMEPAGE_AUTH: no such file or directory

middleware yml for homepage:

http:
  middlewares:
    homepage-basic-auth:
      basicAuth:
        usersFile: "/run/secrets/HOMEPAGE_AUTH"
        realm: "Homepage Basic Auth Realm"

middleware yml for traefik:

http:
  middlewares:
    middlewares-basic-auth:
      basicAuth:
        usersFile: "/run/secrets/TRAEFIK_AUTH"
        realm: "Traefik 3 Basic Auth"

traefik docker-compose.yml:

secrets:
  # HOMEPAGE_AUTH:
  #   file: "./secrets/HOMEPAGE_AUTH.secret"
  TRAEFIK_AUTH:
    file: "./secrets/TRAEFIK_AUTH.secret"
  CF_API_EMAIL:
    file: "./secrets/CF_API_EMAIL.secret"
  CF_API_KEY:
    file: "./secrets/CF_API_KEY.secret"
  CF_DNS_API_TOKEN:
    file: "./secrets/CF_DNS_API_TOKEN.secret"
  CF_ZONE_API_TOKEN:
    file: "./secrets/CF_ZONE_API_TOKEN.secret"

services:
  traefik:
    image: traefik:v3.2.3
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - traefik_network
    ports:
      - "88:80"
      - "8443:443"
      - "8080:8080"
    secrets:
      # - "HOMEPAGE_AUTH"
      - "TRAEFIK_AUTH"
      - "CF_API_EMAIL"
      - "CF_API_KEY"
      - "CF_DNS_API_TOKEN"
      - "CF_ZONE_API_TOKEN"
    environment:
      - "TZ=America/Chicago"
      # - "HOMEPAGE_AUTH_FILE=/run/secrets/HOMEPAGE_AUTH"
      - "TRAEFIK_AUTH_FILE=/run/secrets/TRAEFIK_AUTH"
      - "CF_API_EMAIL_FILE=/run/secrets/CF_API_EMAIL"
      - "CF_API_KEY_FILE=/run/secrets/CF_API_KEY"
      - "CF_DNS_API_TOKEN_FILE=/run/secrets/CF_DNS_API_TOKEN"
      - "CF_ZONE_API_TOKEN_FILE=/run/secrets/CF_ZONE_API_TOKEN"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /run/docker.sock:/run/docker.sock:ro
      - ./config:/etc/traefik
      - ./data/certs/:/var/traefik/certs/:rw
      - traefik-logs:/var/log/traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.example.com`)"
      # - "traefik.http.middlewares.traefik-auth.basicauth.users=traefik:$$2y$$10$$o17r.XnYxVjxZ38qyB0FEeMOSxCnyxPqRxIMWrI7x9tmrxKsBBYJq"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=example.com"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.example.com"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.example.com`)"
      - "traefik.http.routers.traefik-secure.middlewares=middlewares-basic-auth@file"

homepage docker-compose.yml:

---
secrets:
  HOMEPAGE_AUTH:
    file: "./secrets/HOMEPAGE_AUTH.secret"

services:
  homepage:
    image: ghcr.io/gethomepage/homepage:latest
    container_name: homepage
    ports:
      - 3000:3000
    volumes:
      - ${HOMEPAGE_HOME_DIRECTORY}:/app/config # Make sure your local config directory exists
      - /var/run/docker.sock:/var/run/docker.sock # (optional) For docker integrations, see alternative methods
      # - ./secrets/AUTH.secret:/var/run/secrets/AUTH
    secrets:
      - "HOMEPAGE_AUTH"
    environment:
      - "HOMEPAGE_FILE_HOMEPAGE_AUTH=/run/secrets/HOMEPAGE_AUTH"
      - "PUID=$PUID"
      - "PGID=$PGID"
    networks:
      # - caddy_network
      - homepage_net
      - traefik_network
    labels:
      # caddy: homepage.example.com
      # caddy.route.reverse_proxy: "{{upstreams 3000}}"
      - "traefik.enable=true"
      - "traefik.http.routers.homepage.entrypoints=http"
      - "traefik.http.routers.homepage.rule=Host(`homepage.example.com`)"
      - "traefik.http.routers.homepage-https.entrypoints=https"
      - "traefik.http.routers.homepage-https.tls=true"
      - "traefik.http.routers.homepage-https.tls.certresolver=cloudflare"
      # - "traefik.http.routers.homepage-https.service=api@internal"
      - "traefik.http.routers.homepage-https.rule=Host(`homepage.example.com`)"
      - "traefik.http.routers.homepage-https.middlewares=homepage-basic-auth@file"

bluepuma77 · January 1, 2025, 9:25am

Even though the middleware is declared on the target service, Traefik runs in its own container and there the secret must exist locally.

system · January 4, 2025, 9:25am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Using secrets for basic auth in labels across multiple containers Traefik v3 (latest) docker , file , dashboard-api	2	42	January 1, 2025
Common middleware settings for docker containers Traefik v2 docker , middleware	1	3201	May 15, 2020
Problem using a middleware cross providers Traefik v2 middleware	2	1832	September 27, 2019
Adding Basic Auth to secure Traefik dashboard fails - otherwise working docker compose Traefik v2 docker , middleware	9	10803	December 10, 2021
Traefik BasicAuth Dashboard Traefik v2 docker , middleware	4	2903	June 1, 2020

How can secrets be supplied to middlewares for separate docker-compose stacks?

Related topics